Mailbox.org Review

Mailbox.org is a private email provider based in Germany, a location that is generally thought to be great for privacy. This puts Mailbox.org in an elite group of private email providers such as Tutanota and Posteo - which are both also based in Germany. Mailbox.org has previously been recommended by the German consumer watchdog Stiftung Warentest, which is a highly respected independent organization.

Despite this generally positive outlook, it is worth noting that Germany’s Federal Intelligence Service, Bundesnachrichtendienst (BND), is highly sophisticated and has been known to cooperate with the NSA as part of the greater Nine Eyes surveillance agreement. This may raise some concerns over its central servers being located in Germany (especially for those consumers that decide to use the server-side encryption for ease of use).

Mailbox.org prides itself on running a sustainable green business model. In addition, its mission statement keeps privacy and anonymity - as well as the evasion of government surveillance - at its core. The service is well rounded with a lot of features and can be considered fairly easy to use after some getting used to.

How much does Mailbox.org cost?

Mailbox.org allows potential subscribers to give the email service a test run for 30 days, for free. Beyond that users must pay either €1 per month for 2GB of mail storage and 3 addresses or €2.50 per month for 5GB of mail storage and a whopping 25 addresses.

For anybody with more specific needs, the availability to customize the subscription plan is also there - allowing enterprise users to gain access to more storage or addresses as needed.

On the whole, we found that the €1 plan would be suitable for most people’s needs, providing users to all necessary features at an extremely competitive price. In fact, considering how feature-rich the service is - we consider it something of a bargain.

Features

PGP encryption (either server-side for ease of use or using the Mailvelope plugin)

PGP encrypted mailbox to secure all stored emails

Based in Germany

Can choose own domain

100% powered by eco-friendly energy

GDPR compliant

IMAP, POP and ActiveSync support for synchronizing

Qualys SSL Rating: A+ with HSTS and PFS

Calendar

Storage (Drive)

Webchat feature

Spreadsheets

Smart inbox

Spam filter and virus protection

Generate download links for large attachments

Address book feature for managing contacts

Privacy

When signing up to Mailbox, the firm is quick to remind users that they do not need to use their real name. This is in keeping with the firm’s privacy policy, which states that users may start their account anonymously if they wish.

In its privacy policy, Mailbox.org admits that at the time of registration an IP address is stored alongside the date and time of registration, which actually calls into question the ability to subscribe anonymously.

The firm explains that an IP is stored in order to allow the firm to comply with criminal investigations, should the need arise. Due to the fact that an IP address can be traced back to its real owner via an ISP, this may raise concerns for some people depending on their threat model. For any users that wish to conceal their real IP address from Mailbox.org both while using the service and at the time of registration; the option is there to use a VPN to conceal this vital piece of data. This will allow users to gain access to the service privately.

The privacy policy is clearly written to be GDPR compliant, which means that consumers can be assured that their personal data will only be processed and held either with a legal basis for the processing or with direct consent. We like that the policy clearly specifies what metadata will be held, for what purposes, and for how long (though it is worth noting that it seems to state all metadata will be held for around 7 days; which may put some people off).

The privacy policy makes it clear that the firm is not retaining data for any purposes that could be considered questionable, and is not passing any personally identifiable data to third parties, affiliates, business partners, or advertisers. Any metadata that is held on its servers is only kept for a short period (between four and seven days) - and is said to only be there to ensure a satisfactory user experience.

Finally, Mailbox.org publishes a transparency report on its website. This allows users to understand the level of requests that the firm is being subjected to at the hands of the authorities. Mailbox.org clearly specifies that in 2018, 72 requests were made for information of which 13 were ultimately rejected.

On three occasions, the firm was forced to intercept telecommunications. Sadly, however, it is hard to ascertain the nature of those interceptions from the transparency report, which is a bit thin on the ground in terms of actual details

Security

For security purposes, all communication with Mailbox.org servers is made with strong SSL/TLS-encryption (HTTPS). The firm also uses (EC)DHE algorithms for Perfect Forward Secrecy (PFS) which is there to prevent any possible future decryption of recorded data traffic.

In addition, the firm secures its domain with DNSSEC and DANE/TLSA; technology designed to ensure that there is no data manipulation by third parties. Furthermore, Mailbox.org uses HSTS, CAA, CSP, MTA-STS, and X-XSS to effectively prevent man-in-the-middle attacks (MitM) - adding to the security of its SSL/TLS communication channels.

Where email encryption is concerned, the firm allows users to either secure emails with browser-based PGP or server-side PGP for ease of use. For anybody wanting to make use of stronger end-to-end encryption (E2EE), it will be necessary to download the Mailvelope plugin. This is a relatively easy-to-use plugin that allows users to perform all PGP encryption from in their browser.

However, it is worth noting that browser-based encryption is implemented using JavaScript; which carries certain innate vulnerabilities that can allow a MitM attack to be carried out. Anybody wanting to avoid this possible JavaScript exploit will need to opt for using a dedicated email client.

The availability of server-side PGP encryption allows users to enjoy added ease of use. However, despite the firm’s insistence that it cannot actually access the passwords used to encrypt and decrypt emails; this can not be considered as secure as E2EE. On the other hand, the web interface does allow people to send PGP encrypted emails to recipients who do not actually have PGP themselves (by providing them with an https-secured guest inbox on Mailbox’ servers). This is a nice extra, as long as you trust Mailbox.org’s server-side security.

A nice feature that is baked into the Mailbox.org service is the ability to perform TLS check before actually sending an email. This allows people to check not only transit security but also the encryption quality level of the receiving server. In theory, this allows users to spot any discrepancies before sending an email off.

We also like that Mailbox provides PGP encryption for all received messages, including messages that arrive unencrypted. Finally, it is worth noting that Mailbox.org uses HTTP Strict Transport Security (HSTS) on all of its web pages and the service receives an A+ score with Qualys.

Ease of Use

Opening a Mailbox.org account is easy and does not require users to use a real name. After completing the form and filling in the Google Captcha, users are told not to forget their password and are given the option to recover the account by providing a phone number. For security reasons, we declined that invitation.

Next, users are invited to take a guided tour.

We found the tutorial to be a useful way for new users to find out what is available to them. This is definitely a selling point for non-techy users, and the tutorial is available at any time by clicking on the bubble in the top right of the service.

Importing contacts from another web service is not initially obvious. In fact, we were only able to figure it out by contacting the help desk. To do so, you will first need to create a new public address book. Once that is done, you can click on the hamburger menu next to the address book and select import. Users can import contacts via vCard or CSV format (which is what we used).

With contacts imported, users can begin sending and receiving emails as they normally would. Anybody who wants to import their messages from another email client can do so via IMAP migration, or manually by opening both accounts in a single third-party email client such as Thunderbird.

In addition, there is a nifty migration service called Audriga that Mailbox users can pay €3 to import all of their emails, calendar, contacts, and tasks, from their old provider to Mailbox (Gmail is one of the services that can be migrated in this way). This feature might not be for everyone, because you do need to agree to this third party’s privacy policy. However, it might be quite useful for those who are less techy.

Where mobile users are concerned, there are no dedicated mobile apps for this service. If this is something you desire, it may be worth looking elsewhere. However, Mailbox.org does support IMAP and POP for use with third-party email apps - which means that you can use it on mobile as long as you don’t mind using a third-party client.

The Mailbox.org email service comes setup to provide PGP encryption using “Guard” - an easy web-based PGP solution that allows Mailbox’ servers to store your keys securely on your behalf. For anybody who finds this server-based encryption suspect, the option is there to switch over to the Mailvelope plugin. To do so, first install the extension in your Chrome or Firefox browser. Next, click on the settings cog in the top nav, followed by PGP in Webmailer. In this window, you will be able to select Mailvelope.

As soon as Mailvelope is activated, you will be able to use your browser-based PGP key to encrypt and decrypt emails from inside of Mailbox’ service.

On the whole, despite having a few teething issues, we did find it easy to use this email provider. Admittedly, we did need to communicate with the support desk to figure out some things, this may put some non-techy users off the service.

Customer Support

Contact with support is achieved by visiting the Mailbox.org website. Clicking on Support allows you to choose from a number of options including “Technical Support.” Once you have selected your preferred choice, you will be asked to enter your email address and password. Following that, you will be able to fill in a form with your questions.

Responses to requests are handled using a ticket-based system, for which replies will come to your inbox. Even free users are permitted to use this service, and we found it to be extremely fast. We made three requests in total and got answers within five minutes of asking. The responses were always helpful and even arrived with screenshots showing us exactly where the import feature, IMAP, and switching over to mailvelope is located within the software.

In addition to the handy ticket system, the Mailbox.org website has a number of blogs and guides for helping users out. One drawback of this system is that we often found responses to questions from users who had accidentally provided incorrect information. This can be frustrating and can leave you wondering why something is not working for you. However, overall the website resources are probably quite useful, especially if used in combination with the support desk.

Conclusion

Mailbox.org is a well-rounded email service that allows users to make use of most of its features on the free plan. This is excellent because it allows consumers to get a proper taste of what it has to offer before deciding to purchase a subscription. Although compared to some other email services (such as Mailfence and Posteo), Mailbox may seem a little confusing at first - the reality is that with a little playing around it is possible to find all the necessary features.

The easy server-side “Guard” PGP encryption feature allows even non-techy users to jump straight into the world of encrypted emails. And, for those who prefer to control their keys locally, the option is there to use Mailvelope or even a dedicated email client such as Thunderbird.

With built-in storage, a calendar, an address book, spreadsheets, and even a web chat feature built into the client -, this email provider can easily be compared to the functionality you get with Google. At a cost of just €1 per month to increase email storage space to 2GB and 3 addresses, this email provider is a low-cost solution, and users can easily opt for custom domains this provider has most people’s needs covered.

One downside to this particular email service (compared to Tutanota, for example) is that it does not permit users to encrypt message metadata. However, this is normal for PGP encrypted emails (which always reveal some metadata) and Tutanota only achieves it by using AES instead. This means the fact that Mailbox actually allows users to scrub their IP address from the header of outgoing messages is excellent.

To conclude, this is a feature-rich budget email service that has more features than some of its biggest competitors. ProtonMail - which is low on features comparatively will cost you around three times more than Mailbox.org’s service. In our opinion this makes Mailbox.org stand out as something of a bargain.